Originally published at: VMware Fusion 13.6.3 - TidBITS
VMware has issued VMware Fusion 13.6.3 with a security update. The release resolves an information disclosure vulnerability (CVE-2025-22226) that could allow a malicious actor with administrative privileges to leak memory from the vmx process. VMware considers this issue to be in the “important severity range” and recommends that you update as soon as you can. (Free/$149.99/$199.99 new, free update, release notes, macOS 13+)
At the moment, there are no longer automatic updates for VMware Fusion and other Broadcom products while in the program as it will return the message “The update server could not be resolved.” According to this thread, that is intentional and new downloads will have to go through the Broadcom website:
The explanation for this change is Broadcom screwed up.
What they were trying to do is change their VMware software distribution system for certain products so that the download URL is unique to each customer. Those products are vCenter Server, vSphere ESXi, and SDDC Manager. Broadcom provided scripts to adapt these products to the new scheme.
I think the reason behind the change was that they are claiming that some customers are downloading and using products that they’re not licensed for, or otherwise exceeding the license. There’s some lawsuits about this, that started right before this change.
Anyway, you know which products are not in the list of affected products? VMware Workstation and VMware Fusion. But they got impacted, because Broadcom disabled the software download URLs that these products are also using.
This is bigger than just “can’t check for updates” or “can’t do an in-app update”. For a long time now Workstation and Fusion’s install doesn’t include all the components of the program, some are installed on demand, depending on which kind of guest you’re creating. If you create a Linux guest, then it downloads Linux components, and so on.
Broadcom broke that too! And where can you find the missing components on the Broadcom site? Nowhere obvious.
So characterizing this change as intentional is misleading. The intent was to change how software downloads work in other products. The resulting impact on Workstation and Fusion is a side effect due to corporate incompetence.
An employee in the thread stated that it was intentional, so that is not my interpretation but a statement of fact.
Whether they screwed up is a matter of opinion but companies do change policies all the time. The problem is that there does not seem to be adequate communication about the change. At the very least, an email or other communication regarding the change should have been forthcoming.
I haven’t used VMware Fusion (and Workstation for non-Mac OSes) since my employment days that ended in the end of 2016. Has it improved? I still use VirtualBox which is free. VirtualBox doesn’t run in ARM Macs, but can VMware do that now? I know VMware Fusion went free, but is its snapshots feature free for testing purposes? That is what I use a lot in both VirtualBox and VMware (Workstation and Fusion).
I use VMware Fusion on my M1 Air to run Windows 11 and it works fine but I don’t use it that much. I have used VirtualBox on my Mac Mini running Catalina and it worked fine for running old OS like Snow Leopard but the interface looked older as I recall and you couldn’t have a full screen like you could in VMware Fusion. I’m using the free personal version. I don’t know about the snapshot feature.